Code Execution Flaws Patched in Foxit PDF Reader

Foxit has addressed over a dozen vulnerabilities in their PDF Reader, a free application that provides users with an alternative to Adobe Acrobat Reader.

Designed for viewing, creating, and editing PDF documents, Foxit PDF Reader is a popular free program that also has a broadly used browser plugin available.

Released on Friday, the latest version of the application addresses an Unsafe DLL Loading security bug reported by Ye Yint Min Thu Htut. The issue is created because the app “passes an insufficiently qualified path in loading an external library when a user launches the application,” the researcher explains.

The issue occurs when the application fails to resolve the DLL because the file doesn’t exist at the specified path. By placing a malicious DLL in the specified path directory, an attacker could exploit the vulnerability and execute remote code.

The new Foxit PDF Reader update also resolves five security vulnerabilities discovered by Cisco Talos security researchers, which could be exploited for code execution.

The first of them, CVE-2017-14458, is a use-after-free in the JavaScript engine of the application. When a document is closed, embedded JavaScript code continues to be executed, although used objects are freed up. Thus, an attacker can use a specially crafted PDF document to trigger a previously freed object, thus achieving arbitrary code execution.

“There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation,” Talos explains.

The second bug, CVE-2018-3842, is a use of an uninitialized pointer flaw in the application’s JavaScript, and could be abused to achieve remote code execution.

Cisco Talos found two other flaws in the JavaScript engine of Foxit PDF Reader, both use-after-free bugs: CVE-2018-3850 and CVE-2018-3853. The former resides in the ‘this.xfa.clone()’ method, which results in a use-after-free condition, while the latter resides in combinations of the ‘createTemplate’ and ‘closeDoc’ methods related to the program’s JavaScript functionality.

The fifth vulnerability (CVE-2018-3843) results from a type confusion in the way the PDF reader parses files with associated extensions. A specially crafted PDF file could be used to exploit the flaw and disclose sensitive memory or, potentially, achieve arbitrary code execution.

Other vulnerabilities addressed in Foxit PDF Reader could also result in remote code execution, in information disclosure, or in application crashes, Foxit reveals in the update’s release notes.

Affected application versions include Foxit Reader and Foxit PhantomPDF 9.0.1.1049 and earlier. The vulnerabilities were addressed in Foxit Reader and Foxit PhantomPDF 9.1.
To read the original article